IDP proxy - attribute

Cantor, Scott cantor.2 at
Fri Aug 14 17:10:47 UTC 2020

On 8/14/20, 12:55 PM, "users on behalf of Jerry Bailie" <users-bounces at on behalf of jebailie at> wrote:

>    Stating a different way, the aim is to 'passthrough' an attribute from the proxy to the SP.

That isn't a different way, that's the question I answered.

>    For example, surname (which is released by the proxy and can be found in the SAML).

if the attribute is named in accordance with the standards, then the existing rules work. If it is not, then you either fix it so that it is if you control the IdP, you tell somebody else to fix it, or you add custom rules to map the made-up naming used by the IdP to produce the internal attribute ID you want to operate on.

"sn" is the standard internal ID for the data you're calling surname and the standard name for that in SAML is the URI-format name "urn:oid:" (that's the Attribute Name and the NameFormat MUST be "urn:oasis:names:tc:SAML:2.0:attrname-format:uri")

And that's what the default rule is in conf/attributes/inetOrgPerson.xml

etc for eduPersonScopedAffiliation and any other attributes with default rules defined.

And you can't use different internal names and have them to work out of the box. If you don't use the conventional IDs for the attributes within the system (e.g. using surname instead of sn) then that also adds friction and custom configuration requirements.

-- Scott

More information about the users mailing list